23 changed files with 210 additions and 55 deletions
--- a/.editorconfig
+++ b/.editorconfig
@ -0,0 +1,7 @@
 root = true
 [*.sh]
 end_of_line = lf
 insert_final_newline = true
 indent_style = space
 indent_size = 4
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,2 @@
 stage3-*.tar.*
 latest-*.txt
--- a/README.md
+++ b/README.md
@ -1,55 +0,0 @@
 # Aimee OS Build Container Images
 This repository contains the build scripts for the container images that
 provide the build environment for Aimee OS projects.  Most projects will use
 the _build/build-{target}_ image, which contains a cross-compiler toolchain for
 the _{target}_ system (e.g. _aarch64-unknown-linux-gnu_) with Rust support, as
 well as several other tools for compiling software and creating bootable OS
 images.
 ## Container Images
 There are several images in the collection:
 ```
 gentoo/stage3 †
 build/base
 └── build/cross-aarch64-unknown-linux-gnu
    └── build/build-aarch64-unknown-linux-gnu ‡
 ```
 † The _gentoo/stage3_ image contains an unmodified Gentoo stage3 system.  It is
 used to bootstrap the _build/base_ image.
 ‡ Although the _build/build-{target}_ image is initially populated from the
 corresponding _build/cross-{target}_ image, the final image is "squashed" into
 a single layer to minimize download size.
 ## Git Branches
 To enable building images in Jenkins without building all of the preceding
 images, each image has its own Jenkins job.  Since Jenkins does not support
 (auto discovering) multiple jobs in a single Git repository branch, the build
 scripts for the images are tracked in separate branches.  Each branch is named
 like _{image}/{sub-branch}_, where _{image}_ is the short name of the image
 (e.g. `base`, `cross`, etc) and _{sub-branch}_ is an arbitrary name (e.g.
 _main_).
 * _base/main_: This branch is responsible for building _gentoo/stage3_ and
  _build/base_.
 * _cross/main_: This branch contains the build script for
  _build/cross-{target}_.
 * _build/main_: This branch builds _build/build-{target}_.
 In addition to the per-image branches, there is also _lib/{sub-branch}_.
 Code shared by multiple image build scripts is tracked here.  Build scripts
 expect the shared code to be available in the `lib` directory, which is
 generally populated using a Git worktree, e.g.:
 ```sh
 git worktree add lib lib/main
 ```
 The _main_ branch itself is empty except for this README.
--- a/build.sh
+++ b/build.sh
@ -0,0 +1,36 @@
 #!/bin/sh
 SELF=$(readlink -f "$0")
 SRCDIR=${SELF%/*}
 . "${SRCDIR}"/lib/common.sh
 target=aarch64-unknown-linux-gnu
 while [ $# -gt 0 ]; do
    case "$1" in
    -t|--target)
        shift
        target="$1"
        ;;
    -b|--base)
        shift
        base="$1"
        ;;
    *)
        printf 'Unknown argument: %s\n' "$1" >&2
        exit 2
        ;;
    esac
    shift
 done
 if [ -z "${base-}" ]; then
    base=aimee-os.org/build/cross-"${target}"
 fi
 set -e
 cid=$(buildah from "${base}")
 buildah add "${cid}" portage /etc/portage
 buildah_run_script "${cid}" "${SRCDIR}"/lib/sync.sh
 buildah_run_script "${cid}" "${SRCDIR}"/tools.sh
 buildah commit --rm --squash "${cid}" "aimee-os.org/build/build-${target}"
--- a/ci/Jenkinsfile
+++ b/ci/Jenkinsfile
@ -0,0 +1,60 @@
 pipeline {
    agent {
        kubernetes {
            yamlFile 'ci/podTemplate.yaml'
            yamlMergeStrategy merge()
            defaultContainer 'buildah'
        }
    }
    stages {
        stage('Prepare') {
            steps {
                container('jnlp') {
                    // TODO checkout lib/ branch based on $BRANCH_NAME
                    sh 'git fetch origin lib/main:lib/main'
                    sh 'git worktree add lib lib/main'
                }
            }
        }
        stage('Build') {
            steps {
                sh 'sh -e build.sh --base git.pyrocufflink.net/aimeeos/build/rust-cross-aarch64-unknown-linux-gnu'
            }
        }
        stage('Push') {
            steps {
                withEnv([
                    "REGISTRY_AUTH_FILE=${env.WORKSPACE_TMP}/auth.json"
                ]) {
                    withCredentials([usernamePassword(
                        credentialsId: 'jenkins-packages',
                        usernameVariable: 'BUILDAH_USERNAME',
                        passwordVariable: 'BUILDAH_PASSWORD',
                    )]) {
                        sh """
                            buildah login \
                            --username \${BUILDAH_USERNAME} \
                            --password \${BUILDAH_PASSWORD} \
                            git.pyrocufflink.net
                        """
                    }
                    sh 'buildah push aimee-os.org/build/build-aarch64-unknown-linux-gnu git.pyrocufflink.net/aimeeos/build/build-aarch64-unknown-linux-gnu'
                }
            }
        }
    }
    post {
        failure {
            sh 'unshare -Ur --map-auto chown root:root -R tmp log'
            dir('tmp/portage') {
                archiveArtifacts '*/*/temp/*.log'
            }
            archiveArtifacts 'log/**/*'
        }
    }
 }
--- a/ci/podTemplate.yaml
+++ b/ci/podTemplate.yaml
@ -0,0 +1,51 @@
 spec:
  containers:
  - name: buildah
    image: quay.io/containers/buildah:v1
    command:
    - sh
    - -c
    - |
      trap 'kill $!; exit' TERM
      sleep infinity &
      wait
    securityContext:
      runAsUser: 1000
      runAsGroup: 1000
      readOnlyRootFilesystem: true
    resources:
      limits:
        github.com/fuse: 1
        cpu: 6
        memory: 8G
      requests:
        cpu: 6
        memory: 8G
    volumeMounts:
    - mountPath: /home/build
      name: tmp
      subPath: home
    - mountPath: /home/build/.local/share/containers
      name: data
      subPath: containers
    - mountPath: /tmp
      name: tmp
      subPath: tmp
    - mountPath: /var/tmp
      name: data
      subPath: tmp
  tolerations:
  - key: du5t1n.me/jenkins
  volumes:
  - name: data
    ephemeral:
      volumeClaimTemplate:
        spec:
          accessModes:
          - ReadWriteOnce
          resources:
            requests:
              storage: 16Gi
  - name: tmp
    emptyDir:
      medium: Memory
--- a/portage/env/nobuildpkg
+++ b/portage/env/nobuildpkg
@ -0,0 +1 @@
 FEATURES=-buildpkg
--- a/portage/make.conf/15-keywords.conf
+++ b/portage/make.conf/15-keywords.conf
@ -0,0 +1 @@
 ACCEPT_KEYWORDS="${ARCH}"
--- a/portage/make.conf/20-binpkgs.conf
+++ b/portage/make.conf/20-binpkgs.conf
@ -0,0 +1,2 @@
 FEATURES="${FEATURES} binpkg-multi-instance buildpkg"
 EMERGE_DEFAULT_OPTS="${EMERGE_DEFAULT_OPTS} --usepkg --binpkg-respect-use=y"
--- a/portage/make.conf/60-nls.conf
+++ b/portage/make.conf/60-nls.conf
@ -0,0 +1 @@
 USE="${USE} -nls"
--- a/portage/make.conf/80-quiet.conf
+++ b/portage/make.conf/80-quiet.conf
@ -0,0 +1,2 @@
 EMERGE_DEFAULT_OPTS="${EMERGE_DEFAULT_OPTS} --quiet-build=y --quiet-fail=y"
 FEATURES="${FEATURES} -news"
--- a/portage/package.accept_keywords/genimage
+++ b/portage/package.accept_keywords/genimage
@ -0,0 +1 @@
 sys-fs/genimage ~amd64
--- a/portage/package.accept_keywords/kernel
+++ b/portage/package.accept_keywords/kernel
@ -0,0 +1 @@
 sys-kernel/raspberrypi-sources **
--- a/portage/package.env/kernel
+++ b/portage/package.env/kernel
@ -0,0 +1,6 @@
 # vim: set ft=gentoo-package-use :
 # Dustin C. Hatch <dustin@hatch.name> (09 Feb 2023)
 # Do not build binary packages for kernel sources
 sys-kernel/gentoo-sources nobuildpkg
 sys-kernel/raspberrypi-sources nobuildpkg
--- a/portage/package.use/btrfs-progs
+++ b/portage/package.use/btrfs-progs
@ -0,0 +1 @@
 sys-fs/btrfs-progs -man
--- a/portage/package.use/git
+++ b/portage/package.use/git
@ -0,0 +1 @@
 dev-vcs/git -perl
--- a/portage/package.use/grub
+++ b/portage/package.use/grub
@ -0,0 +1 @@
 sys-boot/grub -* GRUB_PLATFORMS: -*
--- a/portage/package.use/kernel
+++ b/portage/package.use/kernel
@ -0,0 +1,2 @@
 sys-kernel/gentoo-sources symlink
 sys-kernel/raspberrypi-sources symlink
--- a/portage/package.use/qemu
+++ b/portage/package.use/qemu
@ -0,0 +1,5 @@
 # vim: set ft=gentoo-package-use :
 # Dustin C. Hatch <dustin@hatch.name> (11 Dec 2024)
 # Build a minimal QEMU for chrooting into the target environment
 app-emulation/qemu -* QEMU_USER_TARGETS: aarch64 PYTHON_TARGETS: python3_12
--- a/portage/package.use/selinux
+++ b/portage/package.use/selinux
@ -0,0 +1,2 @@
 sys-libs/libselinux python
 sys-process/audit python
--- a/portage/package.use/squashfs-tools
+++ b/portage/package.use/squashfs-tools
@ -0,0 +1 @@
 sys-fs/squashfs-tools zstd
--- a/portage/package.use/systemd
+++ b/portage/package.use/systemd
@ -0,0 +1,6 @@
 sys-apps/dbus systemd
 sys-apps/systemd -* PYTHON_SINGLE_TARGET: python3_12
 sec-policy/selinux-base systemd
 sec-policy/selinux-base-policy systemd
 virtual/tmpfiles systemd
 virtual/udev systemd
--- a/tools.sh
+++ b/tools.sh
@ -0,0 +1,20 @@
 #!/bin/sh
 xargs -r emerge -vnuUj --rebuilt-binaries=y <<EOF
 sys-apps/shadow
 EOF
 xargs -r emerge -vnuUj --rebuilt-binaries=y <<EOF
 app-emulation/qemu
 sec-policy/selinux-base
 sys-apps/policycoreutils
 sys-apps/kmod
 sys-apps/systemd
 sys-boot/grub
 sys-fs/btrfs-progs
 sys-fs/dosfstools
 sys-fs/genimage
 sys-fs/mtools
 sys-fs/squashfs-tools
 tini
 EOF
		`@ -0,0 +1,2 @@`
							`FEATURES="${FEATURES} binpkg-multi-instance buildpkg"`
							`EMERGE_DEFAULT_OPTS="${EMERGE_DEFAULT_OPTS} --usepkg --binpkg-respect-use=y"`
		`@ -0,0 +1,2 @@`
							`EMERGE_DEFAULT_OPTS="${EMERGE_DEFAULT_OPTS} --quiet-build=y --quiet-fail=y"`
							`FEATURES="${FEATURES} -news"`
		`@ -0,0 +1,2 @@`
							`sys-kernel/gentoo-sources symlink`
							`sys-kernel/raspberrypi-sources symlink`
		`@ -0,0 +1,2 @@`
							`sys-libs/libselinux python`
							`sys-process/audit python`